Categories

An EU agency has grappled with thorny issues surrounding the adoption of IoT technology in hospitals to draft a series of best practice guidelines.

The European Union Agency for Network and Information Security (ENISA) study engaged information security officers from more than 10 hospitals across the EU, painting a picture of the smart hospital ICT ecosystem. Security experts at the agency analysed attack scenarios before coming up with a risk-based approach that focuses on relevant threats and vulnerabilities.

Increased risks ranging from ransomware attacks on hospitals IT systems and DDoS assault to hackers selling stolen medical data through cybercrime forums shows that a change in mentality by hospital IT staff and their mangers is required, according to ENISA. Modernisation and innovations such as remote patient care are pushing hospitals towards the adoption of smart solutions. Emerging security and safety issues are sometimes getting overlooked or ignored in this headlong rush.

The introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the variety and volume of potential ways hospitals might become vulnerable to cyber-attacks, ENISA warns.

ENISA's recommendations from its report (PDF) centre on a three point plan.

Healthcare organisations should provide specific IT security requirements for IoT components. Only state-of-the-art security measures should be applied.

Smart hospitals should identify assets and how these will be interconnected before drawing up policies and practices.

Device manufacturers should incorporate security into existing quality assurance systems. Healthcare organisation should be involved in the designing systems and services from the very beginning.

ENISA executive director Udo Helmbrecht commented: "Interconnected, decision-making devices offer automation and efficiency in hospitals, making them at the same time vulnerable to malicious actions. ENISA seeks to co-operate with all stakeholders to enhance security and safety in hospitals adopting smart solutions, namely smart hospitals."

Healthcare is moving up on the policy agenda. The adoption of the EU Directive on Security of Network and Information Systems (NIS) covers healthcare organisations. ENISA plans to support EU member states with the introduction of baseline security measures to the critical sectors, focusing on healthcare organisations, from next year onwards. ®

Issues with the Met's information systems have contributed to failures to protect children at risk of sexual exploitation, according to a report by Her Majesty's Inspectorate of Constabularies (HMIC).

Published today, the 113-page report [PDF] following HMIC's inspection into national child protection, reported how London's Metropolitan Police Service (MPS) has had issues with its IT systems that are contributing to failures to protect vulnerable children.

Police staff told HMIC that information on the Met's Crime Recording Information System (CRIS), which holds data regarding children's circumstances and vulnerability, was “not easy to locate” and “complicated” while the system's usage was “neither universally adhered to nor universally understood”.

This is particularly a concern with regards to the force's risk assessments, according to HMIC, which said that in many incidents the cops failed to reflect the intelligence their systems held or simply made inaccurate assessments.

HMIC reported that some cases were graded as being of only “medium risk of harm on the basis that the children in question were 'streetwise and able to take care of themselves'.”

In one such incident, the report went on to explain, a 13-year-old girl who went missing overnight was assessed as only being at medium risk because she was “streetwise” despite the Met's communications centre receiving a report that the child was “alone and unsafe in a house with three men”.

Connectivity issues with the Met's IT systems meant this information was “in an email inbox in the MPS for 14 hours before the force acted on it.”

HMIC stated that such findings “in relation to the flagging and retrieval from the police computer systems of relevant information about child protection issues are a particular concern.”

IT explained that the difficulty of locating information on the current force IT systems risks cases being dealt with in isolation is leading to potential intelligence gaps.

The report concluded: "The lack of connection between the MPS IT systems, databases and spreadsheets used to record such analyses exacerbates this problem. As a result, much of the information on victims, offenders and risk is kept in isolated pockets across the force. This contrasts sharply with the free movement of people (both victims and offenders) around the capital." ®

A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.

Youtube Video

In an update, Promon outlines the many and varied security shortcomings of Tesla's app.

This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.

One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.

Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.

"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.

El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.

John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.

"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $ 10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

Melbourne man Paul Sant has been charged with unauthorised broadcasting over to pilots over radio bands restricted to aviation users, causing one plane to abort a landing to Tullamarine Airport.

Sant, 19, is alleged to have placed 16 separate transmissions to pilots at Tullamarine and Avalon airports between 5 September and 3 November.

He faces up to a maximum 20 years jail.

The Rockbank man and one-time employee of airline Virgin Australia has been charged with four counts of endangering the safety of aircraft and one count of interference likely to endanger safety.

Media report Sant's lawyer told the court he has been diagnosed with autism and depression without medication.

Australian Federal Police (AFP) confirmed to Vulture South Sant is not alleged to have "hacked" any aviation system, contrary to reports, but merely used broadcasting equipment to make transmissions to pilots in contravention of aviation security laws.

Aviation transmission kit on eBay.

Aviation transmission gear capable of communicating with pilots can be bought online for around AU$ 200.

Enthusiasts regularly tune into the broadcasts which are sent unencrypted meaning no hacking is required to make transmissions.

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®